Using public computers for internet banking isn’t a good idea. Did you know that already? Probably yes, because there’s a lot of cases somebody put the malware apps on the computers in internet caffes, libraries, schools etc. But a lot of the attacks are so called “useless” if you compare it with the attack we are going warn you today. This attack needs no programming, downloading and installing a sniffer or any other complex techniques.
With this attack method it’s easy to sniff the credentials for everybody and that’s why there’s so high risk. Using this method anybody can be successful in sniffing the passwords on the public computers.
Attention: This text is not intended to propagate the hacking methods. You should consider this article as educational material to learn how to protect against the hacking techniques.
How does a common public computer looks like?
- installed Windows OS (mostly XP, Vista, 7)
- installed Internet Explorer as an only web browser (sure mostly before Browser Choice Update (KB976002))
- if there’s any other web browser installed (let’s say Mozilla Firefox), it has been installed probably under the administrator account for the all user accounts
- users are logged under the account with limited privileges where they can install/execute EXE files, but there are the limits where they can write
Icon “Firefox” is a fake hacker’s icon and “Mozilla Firefox” is an original browser icon
If a user starts to work with computer and wants to use internet he probably clicks on the Firefox icon on the Desktop. That icon is the shortcut for the original Firefox installed by administrator, so it’s alright.
But what happen if a hacker wants to sniff the login credentials? It’s easier than you think – first of all he needs to install the Firefox again, but have to choose a new destination, because where’s the original Firefox installed he would need administrator privileges.
However there’s a problem – there are two Firefox icons on the Desktop. Hacker which is logged-in as unprivileged user can’t delete the original icon, but he have to get that icon out of the Desktop. How? There’s no need to delete the icon, because it is possible to move the icon out of the monitor displaying range.
Right click on the Desktop->”Arrange Icons By”->”Align to Grid”. Now it is possible to move the icon behind the monitor border easily – catch the Fox by it’s left ear 
and move the icon to the bottom right corner.
Uncheck the “Align to Grid” button
The original Firefox icon is bottom right in the corner
Now it’s done and the users will always click on the hacker’s Firefox icon. The last step is about the editing the nsLoginManagerPrompter.js file in order to set Firefox not asking users if they want to save the login credentials. It is located at %installation_directory%\Mozilla Firefox\components
The whole thing is about to find the function
_showSaveLoginNotification : function (aNotifyBox, aLogin) {
and delete the whole content except this code
var pwmgr = this._pwmgr; pwmgr.addLogin(aLogin);
The way this behavior can be guaranteed isn’t new and was discussed on http://www.raymond.cc/blog/archives/2009/11/05/hacking-firefox-to-always-auto-save-password-without-showing-notification-bar/. Firefox’s password manager was discussed this month also on Webroot.com where they described the worm what used this Firefox’s feature.
This password manager will contain the login credentials after the successful attack
Why is all this possible?
The first thing what should be said is that using public computer is always a high risk. It’s easy to sniff the passwords using a lot of methods which are not so hard to do. But the way described in this article is really very easy because of these facts: Firefox is a popular web browser, just a simple installation is needed, simple editing the JavaScript file and move the icon. Since this is not a bug or a bad implementation it will be interesting to see if hackers will use this feature more in the future.